Vlan trunking - Checkpoint to Cisco

Posted on 2006-04-02
Last Modified: 2013-11-16

I am attempting to connect a checkpoint VPN-1 edge x16 to a Cisco 2950 via a VLAN trunk. I have defined the various VLANs on the firewall and set the DMZ/WAN2 port to be a VLAN trunk. This port is connected to the Cisco 2950 port fa0/1, this port is also defined as a trunk with a native VLAN of 1. Both the checkpoint firewall and the Cisco show that the trunking type is 802.1Q and also show link from both ends.

From a port based unmanaged switch I can establish ICMP (ping) connectivity with all VLAN addresses defined on the checkpoint firewall. I have a Solaris 10 system connected to the Cisco to a port defined on VLAN 1 (management VLAN) and can access the command line and http interfaces. What I cannot do is access any interface on the checkpoint firewall from the Cisco switch.

One of the items I have noticed is that when the Solaris system, or a system on the unmanaged switch attempts to pink the Cisco or ping to the Solaris system I get an error entry in the event log Here is an entry from attempting to pink the firewall interface from the Solaris server "00171 Apr 02 08:44:19 PM  ICMP192.168.11.2 [SPOOFED!] (Echo Request)"   Here is the error when I attempt to ping the Soalris system from a system on the unmanaged switch: "00169 Apr 02 08:43:30 PM ICMP192.168.10.9 (Conundrum) (Charon) 8 (Echo Request)"

I have routes defined for all VLANs defined on the checkpoint firewall.

I need to be able to connect to the firewall to eventually access other VLANs and the outside world.

Any help is appreciated.

Question by:jvossler
    LVL 15

    Expert Comment

    Could you clarify some details please ...

    Firewall interface is yet the log entry shows destination as Typo?
    How is the unmanaged switch connected? A system source address of indicates a different VLAN on the switch (and is this carried by the trunk?) or interface on the Firewall.

    The "SPOOFED" indication in the log means that is unexpected on whichever interface it has appeared on. Is the 192.168.11.X address of firewall configured on the interface for untagged traffic?

    Author Comment


    Sorry for the typo.

    Port 1 of the checkpoint firewall is set up as a port based VLAN and is connected to an unmanaged switch. This port and switch connect all the VLAN 10 systems (192.168.10.x). All of these systems are functioning correctly withing themselves and to the outside world. From systems on this VLAN I can ping all the VLANs defined on the firewall. The firewall interaces are all 192.168.X.1 where X represents the VLAN number. All of these networks are set up with a class C netmask.

    The VLAN trunk is connected from the checkpoint DMZ port that has been configured as a VLAN trunk. Port fa0/1 on the Cisco has also been configured as an 802.1Q VLAN trunk. The management interface of the Cisco is and the Solaris server connected to the Cisco is The port that the Solaris system is connected to is defined as VLAN 1, thus I can access the command line and http interfaces. The port statistics on the Cisco show that while there are sent packets on the VLAN trunk port there are no received packets. It appears as if the checkpoint device is not communicating.

    Also when I attempt to ping from the 192.168.10.x network to either the Solaris system or the ping fails. Traceroute output indicates that the packets are attempting to go out to the internet through the ISP. This feels like a rules/routing issue but it does not explain why the Solaris system cannot ping the checkpoint device.

    Let me know if you need any more information.

    LVL 15

    Accepted Solution

    The pings are failing because the firewall believes the traffic from is being spoofed.

    Check that the interface configured for VLAN 1 has its topology configured to include the network, or has the network been configured for VLAN 11?

    Author Comment


    I have also been working with checkpoint support and they have to check with someone in Isreal (???) to see if the edge device will support both port based VLANs along with tagged VLANs. They suspect that if the firewall is using trunking on the DMZ port that none of the other switch ports can be used at all. Attempting to set one or more of them to a port based VLAN results in indeterminant routing issues and errors caused by missing VLAN tags in the packet headers. network is reserved by the firewall OS for high availabilty applications so my network is called VLAN1.

    I will port what comes from checkpoint tomorrow.


    Author Comment


    The answer was to upgrade the firmware on the firewall. I was running the release that was loaded on the unit when we received it Sep 2005. This was release 5.0.46, the current version is 6.0.57. After performing the upgrade the device functioned as expected.

    Thank  you for your assistance and dilligence.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    NetScaler load balancer for Linux containers

    Get all the features you need to load balance your containerized microservices applications from NetSCaler CPX Express. Integrated with Google Kubernetes, Docker Swarm, and Apache Mesos container management systems.  Supported by Citrix. Free trial version. Deploy in minutes.

    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now